aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJ. Bruce Fields <[email protected]>2022-01-05 14:15:03 -0500
committerChuck Lever <[email protected]>2022-01-08 14:42:03 -0500
commit074b07d94e0bb6ddce5690a9b7e2373088e8b33a (patch)
treef8243be7bd9a7a5072b7c05af20d7cf1751477b4
parent7f4f5d70adfd88a08d6e122cfe2cf637ff84dd11 (diff)
nfsd: fix crash on COPY_NOTIFY with special stateid
RTM says "If the special ONE stateid is passed to nfs4_preprocess_stateid_op(), it returns status=0 but does not set *cstid. nfsd4_copy_notify() depends on stid being set if status=0, and thus can crash if the client sends the right COPY_NOTIFY RPC." RFC 7862 says "The cna_src_stateid MUST refer to either open or locking states provided earlier by the server. If it is invalid, then the operation MUST fail." The RFC doesn't specify an error, and the choice doesn't matter much as this is clearly illegal client behavior, but bad_stateid seems reasonable. Simplest is just to guarantee that nfs4_preprocess_stateid_op, called with non-NULL cstid, errors out if it can't return a stateid. Reported-by: [email protected] Fixes: 624322f1adc5 ("NFSD add COPY_NOTIFY operation") Signed-off-by: J. Bruce Fields <[email protected]> Signed-off-by: Chuck Lever <[email protected]> Reviewed-by: Olga Kornievskaia <[email protected]> Tested-by: Olga Kornievskaia <[email protected]>
-rw-r--r--fs/nfsd/nfs4state.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index eb920f855969..72900b89cf84 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -6058,7 +6058,11 @@ nfs4_preprocess_stateid_op(struct svc_rqst *rqstp,
*nfp = NULL;
if (ZERO_STATEID(stateid) || ONE_STATEID(stateid)) {
- status = check_special_stateids(net, fhp, stateid, flags);
+ if (cstid)
+ status = nfserr_bad_stateid;
+ else
+ status = check_special_stateids(net, fhp, stateid,
+ flags);
goto done;
}